Switch JWT signing from HS256 to RS256 (4096-bit RSA)
- Replace symmetric SECRET_KEY with JWT_PRIVATE_KEY / JWT_PUBLIC_KEY (PEM) - Add iat claim to every token - Add expand_newlines validator in config for single-line .env PEM values - Add scripts/generate_jwt_keys.py key-generation helper - Update security-auditor agent JWT checklist with RS256 enforcement rules - Mark RS256 as done in TODO.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
+5
-1
@@ -1,3 +1,7 @@
|
||||
DATABASE_URL=postgresql+asyncpg://postgres:password@localhost:5432/destroying_sap
|
||||
SECRET_KEY=change-me-in-production
|
||||
CORS_ORIGINS=["http://localhost:5173"]
|
||||
|
||||
# RS256 JWT keys — generate with: python scripts/generate_jwt_keys.py
|
||||
# Paste the output of that script here (single-line PEM with \n escaped)
|
||||
JWT_PRIVATE_KEY=""
|
||||
JWT_PUBLIC_KEY=""
|
||||
|
||||
Reference in New Issue
Block a user